1getfacl(1) User Commands getfacl(1)
2
6 getfacl - display discretionary file information
7
9 getfacl [-ad] file...
10
13 For each argument that is a regular file, special file, or named pipe,
14 the getfacl utility displays the owner, the group, and the Access Con‐
15 trol List (ACL). For each directory argument, getfacl displays the
16 owner, the group, and the ACL and/or the default ACL. Only directories
17 contain default ACLs.
18 The getfacl utility may be executed on a file system that does not sup‐
21 port ACLs. It reports the ACL based on the base permission bits.
22 With no options specified, getfacl displays the filename, the file
25 owner, the file group owner, and both the ACL and the default ACL, if
26 it exists.
27
29 The following options are supported:
30 -a Displays the filename, the file owner, the file group owner, and
32 the ACL of the file.
33 -d Displays the filename, the file owner, the file group owner, and
36 the default ACL of the file, if it exists.
37
40 The following operands are supported:
41 file The path name of a regular file, special file, or named pipe.
43
46 The format for ACL output is as follows:
47 # file: filename
49 # owner: uid
50 # group: gid
51 user::perm
52 user:uid:perm
53 group::perm
54 group:gid:perm
55 mask:perm
56 other:perm
57 default:user::perm
58 default:user:uid:perm
59 default:group::perm
60 default:group:gid:perm
61 default:mask:perm
62 default:other:perm
63 When multiple files are specified on the command line, a blank line
68 separates the ACLs for each file.
69 The ACL entries are displayed in the order in which they are evaluated
72 when an access check is performed. The default ACL entries that may
73 exist on a directory have no effect on access checks.
74 The first three lines display the filename, the file owner, and the
77 file group owner. Notice that when only the -d option is specified and
78 the file has no default ACL, only these three lines are displayed.
79 The user entry without a user ID indicates the permissions that are
82 granted to the file owner. One or more additional user entries indicate
83 the permissions that are granted to the specified users.
84 The group entry without a group ID indicates the permissions that are
87 granted to the file group owner. One or more additional group entries
88 indicate the permissions that are granted to the specified groups.
89 The mask entry indicates the ACL mask permissions. These are the maxi‐
92 mum permissions allowed to any user entries except the file owner, and
93 to any group entries, including the file group owner. These permissions
94 restrict the permissions specified in other entries.
95 The other entry indicates the permissions that are granted to others.
98 The default entries may exist only for directories. These entries indi‐
101 cate the default entries that are added to a file created within the
102 directory.
103 The uid is a login name or a user ID if there is no entry for the uid
106 in the system password file, /etc/passwd. The gid is a group name or a
107 group ID if there is no entry for the gid in the system group file,
108 /etc/group. The perm is a three character string composed of the let‐
109 ters representing the separate discretionary access rights: r (read), w
110 (write), x (execute/search), or the place holder character −. The perm
111 is displayed in the following order: rwx. If a permission is not
112 granted by an ACL entry, the place holder character appears.
113 If you use the chmod(1) command to change the file group owner permis‐
116 sions on a file with ACL entries, both the file group owner permissions
117 and the ACL mask are changed to the new permissions. Be aware that the
118 new ACL mask permissions may change the effective permissions for addi‐
119 tional users and groups who have ACL entries on the file.
120 In order to indicate that the ACL mask restricts an ACL entry, getfacl
123 displays an additional tab character, pound sign (#), and the actual
124 permissions granted, following the entry.
125
127 Example 1 Displaying file information
128 Given file foo, with an ACL six entries long, the command
131 host% getfacl foo
134 would print:
139 # file: foo
142 # owner: shea
143 # group: staff
144 user::rwx
145 user:spy:−−−
146 user:mookie:r−−
147 group::r−−
148 mask::rw−
149 other::−−−
150 Example 2 Displaying information after chmod command
154 Continue with the above example, after chmod 700 foo was issued:
157 host% getfacl foo
160 would print:
165 # file: foo
168 # owner: shea
169 # group: staff
170 user::rwx
171 user:spy:−−−
172 user:mookie:r−− #effective:−−−
173 group::−−−
174 mask::−−−
175 other::−−−
176 Example 3 Displaying information when ACL contains default entries
180 Given directory doo, with an ACL containing default entries, the com‐
183 mand
184 host% getfacl -d doo
187 would print:
192 # file: doo
195 # owner: shea
196 # group: staff
197 default:user::rwx
198 default:user:spy:−−−
199 default:user:mookie:r−−
200 default:group::r−−
201 default:mask::−−−
202 default:other::−−−
203
207 /etc/passwd system password file
208 /etc/group group file
211
214 See attributes(5) for descriptions of the following attributes:
215 ┌─────────────────────────────┬─────────────────────────────┐
220 │ ATTRIBUTE TYPE │ ATTRIBUTE VALUE │
221 ├─────────────────────────────┼─────────────────────────────┤
222 │Availability │SUNWcsu │
223 ├─────────────────────────────┼─────────────────────────────┤
224 │Interface Stability │Evolving │
225 └─────────────────────────────┴─────────────────────────────┘
226
228 chmod(1), ls(1), setfacl(1), acl(2), aclsort(3SEC), group(4),
229 passwd(4), attributes(5)
230
232 The output from getfacl is in the correct format for input to the set‐
233 facl -f command. If the output from getfacl is redirected to a file,
234 the file may be used as input to setfacl. In this way, a user may eas‐
235 ily assign one file's ACL to another file.
236SunOS 5.11 5 Nov 1994 getfacl(1)